Improve Security of University Data and IT Assets

Improve Security of Data & IT Assets UC Berkeley has a responsibility to protect key University research and informational assets. The ever-changing landscape of threats and expanded legislation requires a proactive stance against potential vulnerabilities. Our go forward approach includes an expanded policy base, education about shared responsibilities for managing critical information assets, a strengthened information security compliance program, risk assessments, and improved metrics and reporting on University information risk.

Projects we are working on in support of this action item:

In Progress

Berkeley Person Registry
Information Security Strategy

Completed Projects

2014 | 2015

Project Name & Sponsor	Value To Campus	Milestones & Additional Info
Berkeley Person Registry Paul Rivers, Chief Information Security Officer	Every member of the Berkeley community requires a CalNet ID and this will ensure that they are provisioned with a single, universal identifier in a timely manner. A modern Person Registry provides the ability to better manage the identity information for a growing number of University constituents. This will enable faster new student and employee onboarding and reduces the future cost of maintaining the legacy system.	During FY15 the project was designed and architected. A System of Record Gateway was built to manage the intake of identity data from many different authoritative stores. Connectors for HR, Student and Advancement data sources were built and tested. A Person Match engine was designed and built to ensure that campus members with multiple roles are provisioned only a single CalNet credential with multiple roles. Data flow infrastructure components were configured and deployed to handle the movement of data in and out of the Person Registry. These components include JMS servers, and an OpenIDM identity-provisioning tool. A service for assigning unique identifiers was created and a number of APIs deployed to handle the distribution of identity data to partner applications. December 2015 – All new graduate students will be imported and have their accounts provisioned through the new Person Registry and account claim system. This will be the first cohort to never exist in the legacy student system. Undergraduates, employees and advancement constituents will continue to be handled by legacy Sync Code. March 2016 – All new undergraduate students will also be onboarded through the new Registry. By the end of March, all staff, faculty and advancement constituents will also be moved to the Berkeley Person Registry and the legacy Sync Code will be retired. April 2016 – End of Fiscal – Guest CalNet accounts will be incorporated into the Berkeley Person Registry allowing the seamless flow of guests in and out of the guest system as their roles and relationships with the university change. In FY16 the entire service will be deployed to production. The new Student Information System will be integrated as the source for student data. A new credential claim and password management application will be deployed to create a smoother onboarding experience for staff, students, faculty and partners. The entire new experience will go online in the third quarter of FY16 and the legacy Sync Code will be retired.
Information Security Strategy Paul Rivers, Chief Information Security Officer View draft information security strategy (access to document requires CalNet authentication)	Establish a broad risk-based and campus-wide process for identifying and addressing the increasingly sophisticated threats to institutional data and campus IT infrastructure. Implementation of the proposed campus information security strategy, which includes: 1. Socialize Extended Policy Base: The extended policy framework outline has been completed and in the fall we will begin outreach to the campus for their feedback and acceptance. 2. Assessments: of critical campus systems and unit compliance with information security minimum standards. 3. Ongoing operational improvements: to provide increased levels of monitoring and protection of the campus network and institutional data. (no edits) 4. Parity of information risk: ensuring appropriate protection of institutional information both on campus and externally.	Completed foundational operational improvements to extend security operations capabilities. Supporting campus units and contracting offices with new privacy and data security contracts review program. Convened new Information Risk Governance Committee (IRGC) and began to address privacy and information security balancing. 1. Policy: The policy expansion effort has produced a proactive information risk management program that includes the following policies: a. Governance - Publication of Extended Policy and Standards: July, 2016 b. Classification Policy - Campus adoption (effective date) of Extended Policy and Standards: July 1, 2017 c. Campus Unit Policy d. Campus Service Provider Policy e. Asset Protection Policy f. Compliance Policy g. Supplier and 3rd Party Policy h. Exception Policy i. Incident Response Policy 2. Assessment a. Ongoing assessments of critical infrastructure and campus information systems. The assessment team performs 30-50 assessments per year as part of an ongoing effort to ensure Campus systems meet a reasonable minimum security posture as defined in Campus policy or external compliance mandates. These assessments range from reviews to enable receipt of research data from government agencies to critical administrative applications that allow the Campus to accept credit cards. These assessments routinely identify critical issues, and also provide specific guidance and timelines for addressing the issues. 2016 - Continue the assessment process to maintain the 30-50 assessments per year; the range allows for different levels of complexity of assessments. b. New assessment model: information risk impact assessment. In support of the information security theme “security is everyone's job”, it is often poorly understood how non-IT have any role to play in information security. Understanding the impact of a security incident on a lab, school, department or other portion of the University is best done by those who are ultimately responsible for those areas. This impact assessment allows for a rational determination of what resources should be allocated to the protection of different IT assets. A process to facilitate this impact assessment, along with an engagement schedule, will be developed and implemented. July 2015 - Engagement model and resources development complete Sept. - Dec 2015 - Pilot model Jan. - March 2016 - Model adjustments April 2016 - Execution of plan to use model to cover Campus 3. Continuous Improvements a. Reporting portal for security incidents. Campus notices for security information will move from an email and ticketing solution to a GRCstyle web portal. The portal allows a far more efficient tracking of current security status by eliminating the piecemeal and illsuited ticketing approach used today, and will enable the development of selfservice tools to investigate and resolve incidents according to campus minimum security standards. An API will be exposed to allow groups who wish to develop internal automation around security incident response workflows may do so. June 2015 - Beta of Incident View for a pilot group of security Oct. 2015 - General rollout of Incident View for Security Contacts Dec. 2015 - Support for Security Incident API for Security Contacts April 2016 - Beta testing of selfremediation for selected Security Contacts b. Advancing intrusion detection capabilities. The current approach to intrusion detection requires inspection of all data transmitted on the Campus network to detect suspicious patterns. The network is increasingly “going dark” with the use of encryption by even malware and attackers. In addition, this traditional approach to intrusion detection requires significant investment in skilled labor. The industry trend has been to the compilation of reputation data, which pinpoints bad actors on the internet by IP address and time range. Correlating network flow data with this reputational data expands our detection capabilities, does not depend on unencrypted network traffic, can be highly automated, and may even be translated to offpremise environments such as Amazon AWS. Developing these capabilities requires investing in solid architecture and automated data processing frameworks in a way UC Berkeley has not done to date. Completed March 2015 - Complete automated incident processing pipeline for intrusion detection events (“the SOCK”) Completed May 2015 - Correlation of reputation data to network flow data in development Completed Aug. 2015 - Production of intrusion detection systems at SDSC Dec. 2015 - Add new detection capabilities to SDSC Jan. 2016 - Production use of reputation correlation with flow March 2016 - Feeds to DNSRPZ in production 4. Parity of Information Risk - June 2016 Current terms and conditions only loosely track campus privacy and data security requirements. This project will build on the new, comprehensive information security policy framework under development and deliver updated standard terms and conditions that meaningfully apply campus information security policies to suppliers and partners. Doing so will help ensure parity of information risk between services provided oncampus and those delivered by suppliers or partners. In addition, by grounding information security terms and conditions in policy, the campus will be able to apply a consistent process to evaluate exceptions to policy whether they arise with respect to a supplier or with respect to a service delivered on campus.

Project Name & Sponsor

Value To Campus

Milestones & Additional Info

Berkeley Person Registry

Paul Rivers, Chief Information Security Officer

Every member of the Berkeley community requires a CalNet ID and this will ensure that they are provisioned with a single, universal identifier in a timely manner. A modern Person Registry provides the ability to better manage the identity information for a growing number of University constituents. This will enable faster new student and employee onboarding and reduces the future cost of maintaining the legacy system.

During FY15 the project was designed and architected. A System of Record Gateway was built to manage the intake of identity data from many different authoritative stores.

Connectors for HR, Student and Advancement data sources were built and tested. A Person Match engine was designed and built to ensure that campus members with multiple roles are provisioned only a single CalNet credential with multiple roles.

Data flow infrastructure components were configured and deployed to handle the movement of data in and out of the Person Registry. These components include JMS servers, and an OpenIDM identity-provisioning tool.

A service for assigning unique identifiers was created and a number of APIs deployed to handle the distribution of identity data to partner applications.

December 2015 – All new graduate students will be imported and have their accounts provisioned through the new Person Registry and account claim system. This will be the first cohort to never exist in the legacy student system. Undergraduates, employees and advancement constituents will continue to be handled by legacy Sync Code.
March 2016 – All new undergraduate students will also be onboarded through the new Registry. By the end of March, all staff, faculty and advancement constituents will also be moved to the Berkeley Person Registry and the legacy Sync Code will be retired.
April 2016 – End of Fiscal – Guest CalNet accounts will be incorporated into the Berkeley Person Registry allowing the seamless flow of guests in and out of the guest system as their roles and relationships with the university change.

In FY16 the entire service will be deployed to production. The new Student Information System will be integrated as the source for student data. A new credential claim and password management application will be deployed to create a smoother onboarding experience for staff, students, faculty and partners. The entire new experience will go online in the third quarter of FY16 and the legacy Sync Code will be retired.

Information Security Strategy

Paul Rivers, Chief Information Security Officer

View draft information security strategy (access to document requires CalNet authentication)

Establish a broad risk-based and campus-wide process for identifying and addressing the increasingly sophisticated threats to institutional data and campus IT infrastructure.

Implementation of the proposed campus information security strategy, which includes:

1. Socialize Extended Policy Base: The extended policy framework outline has been completed and in the fall we will begin outreach to the campus for their feedback and acceptance.

2. Assessments: of critical campus systems and unit compliance with information security minimum standards.

3. Ongoing operational improvements: to provide increased levels of monitoring and protection of the campus network and institutional data. (no edits)

4. Parity of information risk: ensuring appropriate protection of institutional information both on campus and externally.

Completed foundational operational improvements to extend security operations capabilities.

Supporting campus units and contracting offices with new privacy and data security contracts review program.

Convened new Information Risk Governance Committee (IRGC) and began to address privacy and information security balancing.

1. Policy: The policy expansion effort has produced a proactive information risk management program that includes the following policies:

a. Governance - Publication of Extended Policy and Standards: July, 2016
b. Classification Policy - Campus adoption (effective date) of Extended Policy and Standards: July 1, 2017
c. Campus Unit Policy
d. Campus Service Provider Policy
e. Asset Protection Policy
f. Compliance Policy
g. Supplier and 3rd Party Policy
h. Exception Policy
i. Incident Response Policy

2. Assessment
a. Ongoing assessments of critical infrastructure and campus information systems. The assessment team performs 30-50 assessments per year as part of an ongoing effort to ensure Campus systems meet a reasonable minimum security posture as defined in Campus policy or external compliance mandates. These assessments range from reviews to enable receipt of research data from government agencies to critical administrative applications that allow the Campus to accept credit cards. These assessments routinely identify critical issues, and also provide specific guidance and timelines for addressing the issues.

2016 - Continue the assessment process to maintain the 30-50 assessments per year; the range allows for different levels of complexity of assessments.

b. New assessment model: information risk impact assessment. In support of the information security theme “security is everyone's job”, it is often poorly understood how non-IT have any role to play in information security. Understanding the impact of a security incident on a lab, school, department or other portion of the University is best done by those who are ultimately responsible for those areas. This impact assessment allows for a rational determination of what resources should be allocated to the protection of different IT assets. A process to facilitate this impact assessment, along with an engagement schedule, will be developed and implemented.

July 2015 - Engagement model and resources development complete
Sept. - Dec 2015 - Pilot model
Jan. - March 2016 - Model adjustments
April 2016 - Execution of plan to use model to cover Campus

3. Continuous Improvements
a. Reporting portal for security incidents. Campus notices for security information will move from an email and ticketing solution to a GRCstyle web portal. The portal allows a far more efficient tracking of current security status by eliminating the piecemeal and illsuited ticketing approach used today, and will enable the development of selfservice tools to investigate and resolve incidents according to campus minimum security standards. An API will be exposed to allow groups who wish to develop internal automation around security incident response workflows may do so.

June 2015 - Beta of Incident View for a pilot group of security
Oct. 2015 - General rollout of Incident View for Security Contacts
Dec. 2015 - Support for Security Incident API for Security Contacts
April 2016 - Beta testing of selfremediation for selected Security Contacts

b. Advancing intrusion detection capabilities. The current approach to intrusion detection requires inspection of all data transmitted on the Campus network to detect suspicious patterns. The network is increasingly “going dark” with the use of encryption by even malware and attackers. In addition, this traditional approach to intrusion detection requires significant investment in skilled labor. The industry trend has been to the compilation of reputation data, which pinpoints bad actors on the internet by IP address and time range. Correlating network flow data with this reputational data expands our detection capabilities, does not depend on unencrypted network traffic, can be highly automated, and may even be translated to offpremise environments such as Amazon AWS. Developing these capabilities requires investing in solid architecture and automated data processing frameworks in a way UC Berkeley has not done to date.

Completed March 2015 - Complete automated incident processing pipeline for intrusion detection events (“the SOCK”)
Completed May 2015 - Correlation of reputation data to network flow data in development
Completed Aug. 2015 - Production of intrusion detection systems at SDSC
Dec. 2015 - Add new detection capabilities to SDSC
Jan. 2016 - Production use of reputation correlation with flow
March 2016 - Feeds to DNSRPZ in production

4. Parity of Information Risk - June 2016
Current terms and conditions only loosely track campus privacy and data security requirements. This project will build on the new, comprehensive information security policy framework under development and deliver updated standard terms and conditions that meaningfully apply campus information security policies to suppliers and partners. Doing so will help ensure parity of information risk between services provided oncampus and those delivered by suppliers or partners. In addition, by grounding information security terms and conditions in policy, the campus will be able to apply a consistent process to evaluate exceptions to policy whether they arise with respect to a supplier or with respect to a service delivered on campus.